Planning the Placement of a NAP Health Policy Server

The NAP health policy server is an essential component of any NAP design. In order for a computer to function as a NAP health policy server, it must be running Windows Server 2008 R2 or Windows Server 2008 and the NPS service must be installed and configured for NAP health evaluation.

The placement of a NAP health policy server on your network determines where NAP client computers will send health credentials for processing. Because the health policy server is a central component of the NAP infrastructure, it must be able to communicate with several other NAP components, such as NAP enforcement points and, if necessary, health requirement servers. To perform domain user authentication for 802.1X and VPN-based connections, the NAP health policy server also requires a connection to a directory service, such as Active Directory Domain Services (AD DS). See the following figure.

All NAP designs described in this guide require that you install at least one NAP health policy server, but you might have more than one health policy server on the network in the following situations:

When you need to provide load balancing and failover.

When you need to carry out health evaluation locally on multiple enforcement servers.

When health policy servers are colocated with multiple domain controllers.

If you use more than one health policy server on your network, policies and settings can be replicated by exporting NPS settings from a primary server and importing these settings to other servers using netsh nps export and netsh nps import commands.